Someone made a bookmarklet to disable it: https://github.com/kfahy/slack-disable-wysiwyg-bookmarklet
Google did suddenly start supporting U2F in Firefox a few months ago!
Unlimited! Except for passwordless credentials, which do consume storage space aboard the device. But second factor (U2F style) credentials are stored encrypted on the server, so there's unlimited "space" for them.
If the server allows it, sure.
That won't work for U2F or FIDO2, unfortunately, since the master key is not configurable. You need to enroll both keys with each new service, sadly.
For U2F you're right that it becomes single factor if you use the device as the only factor. With FIDO2 (which is what makes passwordless available), however, the device supports a local PIN as the "something you know"…
It's a hardware token that supports a local PIN as a second factor.
My friend lost his YubiKey and found it embedded in his gravel driveway six months later. Still worked like nothing had happened.
And even then, the token would lock itself down after too many incorrect PIN attemtpts.
NEO also does OpenPGP over NFC on Android. iOS only recently started opening up NFC to non-Apple developers.
Yubico currently sells one at $20. https://www.yubico.com/product/security-key-by-yubico/#secur... There are competing U2F keys, but I don't know of any competitors that support FIDO2 yet.
>where somebody else owns your identity, not you Care to elaborate on how you mean WebAuthn prescribes that? The GUN explainer videos also seem to assume there's a server involved, so I don't understand what you mean is…
No, you were right at the beginning. There is no "root" or "real" pubkey. A separate keypair is generated each site, so that - like you said - identities are unlinkable. This is also a crucial part of what makes these…
Yeah, and a separate keypair is generated for each site.
Web Authentication is part of FIDO2, which is what Microsoft is pushing. Whether you use it for passwordless login or second factor depends on what the server wants and what authenticator hardware the user has.
I'm sorry, I don't understand at all what you mean by that.
No - that process _remains_ a pathway for exploits against the particular website being targeted. The process does not open new pathways for transferring exploits from one site to another - on the contrary, such…
To be more precise, the PIN is the key that unlocks the keyring (the hardware token) that contains the keys (asymmetic keypairs) to the various kingdoms (websites). WebAuthn is not a single sign-on framework, and…
Oh, maybe I didn't get the entire question. There's no global identity or "root credential" used for all websites. A separate keypair is created for each website, and a keypair for site A is not usable on site B even if…
I think you misunderstand how WebAuthn works - there's no "root credential". See my other reply https://news.ycombinator.com/item?id=17032637 No third party issues tokens in WebAuthn either - you have your one or a…
I think you misunderstand how WebAuthn works - see my other reply to your previous message.
Wait a second. Web Authentication is not an SSO framework - there's no "root credential". Each server you use the token on gets its own keypair which is used for only that site. It seems like the scenario you're…
It's mostly for host-authenticator communications, yes, but it it includes a couple of helpers for verifying signatures. But you're right it's not a full-featured server library at this point.
From what I understand, Firefox doesn't implement the whole U2F spec, and Google and Facebook use some of the features (appID facets) FF left out. However, Firefox, Chrome and Edge all plan to implement the whole Web…
The PIN is not stored on the key, it's used to unlock the key. Your analysis is correct, but your premise is false.
Someone made a bookmarklet to disable it: https://github.com/kfahy/slack-disable-wysiwyg-bookmarklet
Google did suddenly start supporting U2F in Firefox a few months ago!
Unlimited! Except for passwordless credentials, which do consume storage space aboard the device. But second factor (U2F style) credentials are stored encrypted on the server, so there's unlimited "space" for them.
If the server allows it, sure.
That won't work for U2F or FIDO2, unfortunately, since the master key is not configurable. You need to enroll both keys with each new service, sadly.
For U2F you're right that it becomes single factor if you use the device as the only factor. With FIDO2 (which is what makes passwordless available), however, the device supports a local PIN as the "something you know"…
It's a hardware token that supports a local PIN as a second factor.
My friend lost his YubiKey and found it embedded in his gravel driveway six months later. Still worked like nothing had happened.
And even then, the token would lock itself down after too many incorrect PIN attemtpts.
NEO also does OpenPGP over NFC on Android. iOS only recently started opening up NFC to non-Apple developers.
Yubico currently sells one at $20. https://www.yubico.com/product/security-key-by-yubico/#secur... There are competing U2F keys, but I don't know of any competitors that support FIDO2 yet.
>where somebody else owns your identity, not you Care to elaborate on how you mean WebAuthn prescribes that? The GUN explainer videos also seem to assume there's a server involved, so I don't understand what you mean is…
No, you were right at the beginning. There is no "root" or "real" pubkey. A separate keypair is generated each site, so that - like you said - identities are unlinkable. This is also a crucial part of what makes these…
Yeah, and a separate keypair is generated for each site.
Web Authentication is part of FIDO2, which is what Microsoft is pushing. Whether you use it for passwordless login or second factor depends on what the server wants and what authenticator hardware the user has.
I'm sorry, I don't understand at all what you mean by that.
No - that process _remains_ a pathway for exploits against the particular website being targeted. The process does not open new pathways for transferring exploits from one site to another - on the contrary, such…
To be more precise, the PIN is the key that unlocks the keyring (the hardware token) that contains the keys (asymmetic keypairs) to the various kingdoms (websites). WebAuthn is not a single sign-on framework, and…
Oh, maybe I didn't get the entire question. There's no global identity or "root credential" used for all websites. A separate keypair is created for each website, and a keypair for site A is not usable on site B even if…
I think you misunderstand how WebAuthn works - there's no "root credential". See my other reply https://news.ycombinator.com/item?id=17032637 No third party issues tokens in WebAuthn either - you have your one or a…
I think you misunderstand how WebAuthn works - see my other reply to your previous message.
Wait a second. Web Authentication is not an SSO framework - there's no "root credential". Each server you use the token on gets its own keypair which is used for only that site. It seems like the scenario you're…
It's mostly for host-authenticator communications, yes, but it it includes a couple of helpers for verifying signatures. But you're right it's not a full-featured server library at this point.
From what I understand, Firefox doesn't implement the whole U2F spec, and Google and Facebook use some of the features (appID facets) FF left out. However, Firefox, Chrome and Edge all plan to implement the whole Web…
The PIN is not stored on the key, it's used to unlock the key. Your analysis is correct, but your premise is false.